8 Metrics to Help Quantify Your Businesses' Cyber Risk

September 11th, 2019 by admin

Cybersecurity is an important topic for our clients, but it encompasses a lot of different things. Managing cyber risk entails dealing with sprawling networks, endpoints ranging from work PCs to personal smartphones, and cybercriminals using increasingly sophisticated methods for launching attacks. We try to tackle these challenges with a systematic approach to understand and prioritize security vulnerabilities. In this way, we can secure and stop the big threats while all the minor issues are already being addressed automatically using vulnerability scanning solutions and proper firewalls.

To see the benefits of your cybersecurity labors, you need to track a variety of metrics over time to get a clear picture of your risks and how to evolve and make changes to continually maintain the highest level of online security. This is critical to protect your data and your businesses’ integrity. By tracking vulnerabilities using the following eight metrics, you’ll gain a clear, quantifiable understanding of your risk.

These key metrics can be divided into two categories:

• Exploitability metrics that reflect the ease and means by which the vulnerability can be exploited
• Impact metrics that reflect the impact of an attack which exploits the vulnerability. The higher the score, the greater the risk the vulnerability poses.

Let’s take a closer look at what each metric can track.

Key Exploitability Metrics

1. Attack Vector
   This metric scores the context for how a vulnerability can be exploited. The more remote an attacker can be from the vulnerability, the higher the Attack Vector score. That means a vulnerability in your network that can be exploited via the internet will score higher than one that requires physical access to a device by an employee.
2. Attack Complexity
   This metric measures the conditions that must exist to exploit the vulnerability, such as information about the target or specific configurations. The more conditions that are outside of the hacker’s control, the less likely the vulnerability will be exploited, lowering the score.
3. Privileges Required
   This metric gauges the level of privileges required for an attacker to exploit the vulnerability. A vulnerability that doesn’t require an authorization, such as a social-engineering attack, will have a higher score than one that requires admin control.
4. User Interaction
   This metric shows the requirement for human interaction beyond the hacker to exploit the vulnerability. If no other human is required, that means the hacker can execute the hack whenever they want. However, if another user is involved, then the hacker may have to wait for a user to take an action like downloading a file before the vulnerability can be exploited.
5. Scope
   This metric addresses whether a vulnerability in one component will impact resources in other components beyond its security scope. For example, a vulnerability in an operating system can impact many other applications and, therefore, receive a high score, whereas a vulnerability in a single database would likely be limited to just that database and represent less overall risk.

Key Impact Metrics

5. Confidentiality Impact
   This metric shows the impact on your data’s confidentiality if the vulnerability is exploited. A high score means an attacker can access restricted data, while a low score means the vulnerability won’t affect data confidentiality.
6. Integrity Impact
   This metric scores the impact on data integrity in an exploited vulnerability. It measures whether a hacker can modify any or all files protected by an impacted component, and if the hacker’s modification presents a direct, serious consequence to the component. The greater the reduction in the trustworthiness and veracity of the data, the higher the score.
7. Availability Impact
   While the Confidentiality and Integrity metrics apply to data, this metric scores the impact of the loss of availability of the impacted component itself, including information resources, bandwidth, processor cycles, and disk space. A total loss of availability scores higher than reduced performance. However, even the reduced performance of a mission-critical application like email can have more of an impact than the total loss of availability for a lower-priority application.

Improve Cybersecurity Performance Using These Metrics

By using vulnerability scanning tools, you can track and quantify these metrics to gain a clear understanding of your cyber risk and track improvement in your performance as you close vulnerabilities. However, not all scanning tools are created equal. Some only conduct occasional scans, while others make it difficult to understand your risk at a glance.

Our new partner, Arctic Wolf™ Managed Risk, combines real-time scanning and data from third-party systems to aggregate and quantify your risk indicators based on the industry-standard CVSS. This gives you a single, consolidated risk score that’s tailored to your business needs, helping you organize risks by type and priority. The result is a better sense of your risk and the ability to reduce your attack surface and ultimately prevent cybercrimes before they occur.

Check their new whitepaper on combatting the top five cyberattacks with managed detection and response now! GET WHITEPAPER NOW

Tags: cybersecurity, evaluation, managed services

Posted in: Security